Higher Education Solutions 1 Internal Audit for Colleges and Universities By: Wally Wetherill, Regional Industry Partner – East Region John McKay, Supervisory Consultant OACUBO Conference
Higher Education Solutions 2 Internal Audit (IA) Assessing Risk Internal Audit Process-developing audit plans and process Examples if IA work Questions Agenda
Higher Education Solutions 3 Internal Audit Is the path to: Assessing and maintaining sufficiency in compliance Proactively addressing public scrutiny Enabling transparency
Higher Education Solutions 4 Internal Audit Defined Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an institution's operations. It helps an institution accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. (Institute of Internal Auditors)
Higher Education Solutions 5 Internal Audit Simplified Internal auditors are not external auditors Main objectives are different Work is not primarily financial statement based Do not render opinions But do have some similar approaches
Higher Education Solutions 6 Internal Audit Simplified Internal auditors Are independent on their institutional reporting (direct report to Audit Committee) Develop annual work plans through risk assessment and collaboration with senior and departmental management Focus of audit work is on: Laws and regulations (compliance) Policy and procedures (adherence) Efficiencies Process improvements
Higher Education Solutions 7 Internal Audit Simplified Internal auditors (continued) Communicate with and involve all levels of personnel Help educate the campus on compliance, controls and risk Provides suggestions for improvement Work together – on your terms – with the same goals
Higher Education Solutions 8 The Look of Internal Audit In house Co-sourced Outsourced * Regardless of how it is established, the process for conducting IA work remains the same
Higher Education Solutions 9 Establishing the IA Function Define your look/structure Audit Charter – defines reporting structure and authority Audit Committee and Charter
Higher Education Solutions 10 Assess Risk Enterprise Risk Management Management deploys and oversees ERM for the institution Define risk and opportunity Assess the risks and opportunities identified Management develops a means to proactively address the risks and opportunities identified: ► Avoid the risk – exit the activity giving rise to significant risk ► Reduce the risk – take action to reduce the likelihood or impact related to risk ► Share or insure the risk – transfer or share a portion of the risk in an effort to reduce the risk level ► Accept the risk - take no action
Higher Education Solutions 11 Assess Risk Enterprise Risk Management (continued) ERM may be based on COSO’s ERM Framework model As defined: ► A process, effected by an institution’s board of trustees, management and other personnel, applied a strategy setting and across the enterprise, designed to identify potential events that may affect the institution, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objections. (Committee of Sponsoring Organizations of the Treadway Commission _ COSO)
Higher Education Solutions 12 Assess Risk Enterprise Risk Management (continued) COSO framework Framework consists of five interrelated components: ► Control environment ► Risk assessment ► Control activities ► Information and communication ► Monitoring
Higher Education Solutions 13 Assess Risk
Higher Education Solutions 14 Assess Risk Enterprise Risk Management (continued) Four major areas of risk Operational (process and procedures) Financial Regulatory Reputational Why is ERM important today in colleges and universities?
Higher Education Solutions 15 Assess Risk BOARD OF TRUSTEES/REGENTS ACCREDITORS & AUDITORS ANALYSTS DONORS HIGHER ED INSTITUTION Seeking enhanced visibility into the risks of the Institution Instituting ERM ratings criteria for public debt issuers Seeking assurance on stewardship of donated funds Promoting greater accountability for risk management Enterprise Risk Management (continued) Why is ERM important today in colleges and universities
Higher Education Solutions 16 Assess Risk Internal audit risk assessment Process Considers results of ERM Defines the audit universe and auditable areas Establishes a consistent scoring structure Examine scores Apply risk rating Rank each auditable unit/function Becomes basis for allocating audit resources
Higher Education Solutions 17 Assess Risk Risk Profile – Heat Map High Moderate Low High Moderate Low Off-Campus Facilities Construction Management (Facilities) Central Billing Office Utilities Office of Research Administration Deferred Maintenance Endowment University Relations Gifts & Restricted Funds Financial Reporting Auxiliary Services Property Management Information Technology
Higher Education Solutions 18 Assess Risk Internal audit risk assessment (continued) Areas of risk assessment at a college (representative list) Student billing and collections Financial aid and grants Information technology Business office Athletics President’s office Purchasing and accounts payable Payroll and benefits Human resources Security Contract management Facilities/construction management Student clubs International programs
Higher Education Solutions 19 Develop Audit Plans Audit plan Identify the audit schedule for each auditable unit/function based on risk assessment High risk areas first Determine plan rotation Typically 3 to 5 years Plan is fluid and can (and probably will) change based on audit work
Higher Education Solutions 20 Develop Audit Plans Annual audit plan List of areas to cover in the year Should detail time line and lead individuals Should have status meetings or communication tool to provide updates and status of plan Include audit committee reporting time line
Higher Education Solutions 21 Internal Audit Project Process Meet with area personnel to identify: Processes Policies and procedures Laws and regulations Management concerns Review information to develop an internal audit program Request additional information
Higher Education Solutions 22 Internal Audit Project Process Perform testing Documentation Inquiry Observation Share and obtain input on results with area management Prepare written observations and recommendations
Higher Education Solutions 23 Internal Audit Project Process Obtain management’s responses Prepare audit report Issue report to departmental management, upper management and the audit committee/ board Follow up on status of previous findings is important
Higher Education Solutions 24 Examples of Internal Audit Work Process improvement analysis Eliminate duplication of effort Eliminate unnecessary steps Streamline to promote efficiency Compliance testing (more specific to regulatory or statutory rules) Financial aid Human resources Payroll and benefits Fund development and administration Grants Contracts
Higher Education Solutions 25 Examples of Internal Audit Work Policy and procedure adherence Internal control advisory services for process or system changes/enhancements Internal control testing External audit assistance Special projects to address items of immediate concern Athletics Student groups International programs Travel and expenses Off site programs
Higher Education Solutions 26 Conclusions – Internal Audit Proactively addresses compliance by being aware of and testing of laws and regulations Serves as a tool to address public scrutiny Indicates management and the board are interested in doing things the right way and correcting items that may be off the mark Provides a resource to the board and management to complete special assignments to address items of concern Results provided by an independent party carry more weight with the public and stakeholders
Higher Education Solutions 27 Conclusions – Internal Audit Promotes transparency in campus processes Results are formally reported Results include statements from management as to how any issues will be addressed Results provide ownership for corrective plan Results indicate cases in which everything is being performed as intended when there are no or few written findings Results available for management and the board
Higher Education Solutions 28 Thank you! Questions?